Support golang as package manager

Author: kyoshidajp

README.md

@@ -19,7 +19,7 @@ However, some packages have archived their source code repositories or have had
 | Python | poetry | poetry.lock | (later) |
 | Python | pipenv | Pipfile.lock | (later) |
 | PHP | composer | composer.lock | :heavy_check_mark: |
-| Go | | go.sum | (later) |
+| Go | golang | go.mod | :heavy_check_mark: |
 | Rust | cargo | Cargo.lock | (later) |
 
 ## Support repository hosting services

cmd/bundler.go

@@ -23,8 +23,8 @@ func (d *BundlerDoctor) Deps(r parser_io.ReadSeekerAt) []types.Library {
 	return deps
 }
 
-func (d *BundlerDoctor) SourceCodeURL(name string) (string, error) {
-	rubyGems := RubyGems{name: name}
+func (d *BundlerDoctor) SourceCodeURL(lib types.Library) (string, error) {
+	rubyGems := RubyGems{name: lib.Name}
 	url, err := rubyGems.fetchURLFromRegistry(d.HTTPClient)
 	return url, err
 }

cmd/composer.go

@@ -23,8 +23,8 @@ func (d *ComposerDoctor) Deps(r parser_io.ReadSeekerAt) []types.Library {
 	return deps
 }
 
-func (d *ComposerDoctor) SourceCodeURL(name string) (string, error) {
-	packagist := Packagist{name: name}
+func (d *ComposerDoctor) SourceCodeURL(lib types.Library) (string, error) {
+	packagist := Packagist{lib: lib}
 	url, err := packagist.fetchURLFromRegistry(d.HTTPClient)
 	return url, err
 }

cmd/diagnose.go

@@ -36,7 +36,7 @@ type Diagnosis struct {
 
 type MedicalTechnician interface {
 	Deps(r parser_io.ReadSeekerAt) []types.Library
-	SourceCodeURL(name string) (string, error)
+	SourceCodeURL(lib types.Library) (string, error)
 }
 
 func FetchRepositoryParams(libs []types.Library, g MedicalTechnician) []github.FetchRepositoryParam {
@@ -54,7 +54,7 @@ func FetchRepositoryParams(libs []types.Library, g MedicalTechnician) []github.F
 
 			fmt.Printf("%s\n", lib.Name)
 
-			githubUrl, err := g.SourceCodeURL(lib.Name)
+			githubUrl, err := g.SourceCodeURL(lib)
 			if err != nil {
 				return
 			}
@@ -164,6 +164,7 @@ var doctors = map[string]MedicalTechnician{
 	"pip":      NewPipDoctor(),
 	"npm":      NewNPMDoctor(),
 	"composer": NewComposerDoctor(),
+	"golang":   NewGolangDoctor(),
 }
 
 var diagnoseCmd = &cobra.Command{

cmd/golang.go

@@ -0,0 +1,34 @@
+package cmd
+
+import (
+	"net/http"
+
+	"github.com/aquasecurity/go-dep-parser/pkg/golang/mod"
+	parser_io "github.com/aquasecurity/go-dep-parser/pkg/io"
+	"github.com/aquasecurity/go-dep-parser/pkg/types"
+)
+
+type GolangDoctor struct {
+	HTTPClient http.Client
+}
+
+func NewGolangDoctor() *GolangDoctor {
+	client := &http.Client{}
+	return &GolangDoctor{HTTPClient: *client}
+}
+
+func (d *GolangDoctor) Deps(r parser_io.ReadSeekerAt) []types.Library {
+	p := &mod.Parser{}
+	deps, _, _ := p.Parse(r)
+	return deps
+}
+
+func (d *GolangDoctor) SourceCodeURL(lib types.Library) (string, error) {
+	proxyGolang := ProxyGolang{lib: lib}
+	if len(lib.ExternalReferences) > 0 {
+		return lib.ExternalReferences[0].URL, nil
+	}
+
+	url, err := proxyGolang.fetchURLFromRegistry(d.HTTPClient)
+	return url, err
+}

cmd/golang/mod/testdata/go.mod

@@ -0,0 +1,10 @@
+module github.com/org/repo
+
+go 1.17
+
+require github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff
+
+require (
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+)

cmd/nodejs.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+
+	"github.com/aquasecurity/go-dep-parser/pkg/types"
 )
 
 // https://docs.npmjs.com/cli/v8/using-npm/registry
@@ -18,11 +20,11 @@ type NodejsRegistryResponse struct {
 }
 
 type Nodejs struct {
-	name string
+	lib types.Library
 }
 
 func (n *Nodejs) fetchURLFromRegistry(client http.Client) (string, error) {
-	url := fmt.Sprintf(NODEJS_REGISTRY_API, n.name)
+	url := fmt.Sprintf(NODEJS_REGISTRY_API, n.lib.Name)
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return "", err

cmd/nodejs_test.go

@@ -5,17 +5,20 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/aquasecurity/go-dep-parser/pkg/types"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestNodejs_fetchURLFromRegistry(t *testing.T) {
 	tests := []struct {
-		name     string
-		dep_name string
+		name string
+		lib  types.Library
 	}{
 		{
-			name:     "source_code_uri exists",
-			dep_name: "react",
+			name: "source_code_uri exists",
+			lib: types.Library{
+				Name: "react",
+			},
 		},
 	}
 	expects := []struct {
@@ -30,7 +33,7 @@ func TestNodejs_fetchURLFromRegistry(t *testing.T) {
 
 	for i, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			n := Nodejs{name: tt.dep_name}
+			n := Nodejs{lib: tt.lib}
 			r, _ := n.fetchURLFromRegistry(http.Client{})
 			expect := expects[i]
 			assert.Equal(t, true, strings.HasPrefix(r, expect.url))

cmd/npm.go

@@ -22,8 +22,8 @@ func (d *NPMDoctor) Deps(r parser_io.ReadSeekerAt) []types.Library {
 	return deps
 }
 
-func (d *NPMDoctor) SourceCodeURL(name string) (string, error) {
-	nodejs := Nodejs{name: name}
+func (d *NPMDoctor) SourceCodeURL(lib types.Library) (string, error) {
+	nodejs := Nodejs{lib: lib}
 	url, err := nodejs.fetchURLFromRegistry(d.HTTPClient)
 	return url, err
 }

cmd/packagist.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+
+	"github.com/aquasecurity/go-dep-parser/pkg/types"
 )
 
 // https://packagist.org/apidoc#get-package-data
@@ -20,11 +22,11 @@ type PackagistRegistryResponse struct {
 }
 
 type Packagist struct {
-	name string
+	lib types.Library
 }
 
 func (p *Packagist) fetchURLFromRegistry(client http.Client) (string, error) {
-	url := fmt.Sprintf(PACKAGIST_REGISTRY_API, p.name)
+	url := fmt.Sprintf(PACKAGIST_REGISTRY_API, p.lib.Name)
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return "", err
@@ -49,5 +51,5 @@ func (p *Packagist) fetchURLFromRegistry(client http.Client) (string, error) {
 		return "", nil
 	}
 
-	return registryResponse.Packages[p.name][0].Source.URL, nil
+	return registryResponse.Packages[p.lib.Name][0].Source.URL, nil
 }

cmd/pip.go

@@ -23,8 +23,8 @@ func (d *PipDoctor) Deps(r parser_io.ReadSeekerAt) []types.Library {
 	return deps
 }
 
-func (d *PipDoctor) SourceCodeURL(name string) (string, error) {
-	pypi := Pypi{name: name}
+func (d *PipDoctor) SourceCodeURL(lib types.Library) (string, error) {
+	pypi := Pypi{name: lib.Name}
 	url, err := pypi.fetchURLFromRegistry(d.HTTPClient)
 	return url, err
 }

cmd/proxy_golang.go

@@ -0,0 +1,54 @@
+package cmd
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/aquasecurity/go-dep-parser/pkg/types"
+)
+
+// https://proxy.golang.org/
+const PROXY_GOLANG_REGISTRY_API = "https://proxy.golang.org/%s/@latest"
+
+type ProxyGolangRegistryResponse struct {
+	Origin struct {
+		Vcs string `json:"VCS"`
+		URL string `json:"URL"`
+	} `json:"Origin"`
+}
+
+type ProxyGolang struct {
+	lib types.Library
+}
+
+func (g *ProxyGolang) fetchURLFromRegistry(client http.Client) (string, error) {
+	url := fmt.Sprintf(PROXY_GOLANG_REGISTRY_API, g.lib.Name)
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	defer resp.Body.Close()
+	if resp.StatusCode < 200 || 299 < resp.StatusCode {
+		m := fmt.Sprintf("Got status code: %d from %s", resp.StatusCode, PROXY_GOLANG_REGISTRY_API)
+		return "", errors.New(m)
+	}
+
+	body, _ := io.ReadAll(resp.Body)
+
+	var ProxyGolangRegistryResponse ProxyGolangRegistryResponse
+	err = json.Unmarshal(body, &ProxyGolangRegistryResponse)
+	if err != nil {
+		return "", err
+	}
+
+	return ProxyGolangRegistryResponse.Origin.URL, nil
+}

cmd/yarn.go

@@ -23,8 +23,8 @@ func (d *YarnDoctor) Deps(r parser_io.ReadSeekerAt) []types.Library {
 	return deps
 }
 
-func (d *YarnDoctor) SourceCodeURL(name string) (string, error) {
-	nodejs := Nodejs{name: name}
+func (d *YarnDoctor) SourceCodeURL(lib types.Library) (string, error) {
+	nodejs := Nodejs{lib: lib}
 	url, err := nodejs.fetchURLFromRegistry(d.HTTPClient)
 	return url, err
 }

go.mod

@@ -16,6 +16,7 @@ require (
 	go.uber.org/multierr v1.10.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 // indirect
+	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
@@ -27,7 +28,7 @@ require (
 
 require (
 	github.com/MakeNowJust/heredoc v1.0.0
-	github.com/aquasecurity/go-dep-parser v0.0.0-20231013060839-6f348921ea39
+	github.com/aquasecurity/go-dep-parser v0.0.0-20231030050624-4548cca9a5c9
 	github.com/fatih/color v1.15.0
 	github.com/google/go-cmp v0.6.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect

go.sum

@@ -2,6 +2,8 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/aquasecurity/go-dep-parser v0.0.0-20231013060839-6f348921ea39 h1:5yB6PHCaU4yZzN1mMFnrpBerz2pgqYdDRRVSOj4EjVo=
 github.com/aquasecurity/go-dep-parser v0.0.0-20231013060839-6f348921ea39/go.mod h1:RpdbxLhxxvWmv83HWNEiv+reFkmnV+GqHqr66mIU8nU=
+github.com/aquasecurity/go-dep-parser v0.0.0-20231030050624-4548cca9a5c9 h1:AYees+PQjw47SEdM6e/xxgrFzHA+UWxQl6WndDzILNY=
+github.com/aquasecurity/go-dep-parser v0.0.0-20231030050624-4548cca9a5c9/go.mod h1:RpdbxLhxxvWmv83HWNEiv+reFkmnV+GqHqr66mIU8nU=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -53,6 +55,8 @@ go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 h1:K3x+yU+fbot38x5bQbU2QqUAVyYLEktdNH2GxZLnM3U=
 golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE=
+golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
+golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=